Extensive sharing of data and granting of permissions is the very essence of open banking. Without this, its numerous business benefits could not exist. But these actions also pose security and privacy risks that naturally concern every user.
Is money and sensitive data safe when you engage in open banking? Does open banking risk unauthorized access to bank accounts?
The short answer is that open banking has watertight protection at every level. Thanks to a potent combination of stringent regulation, advanced technologies, the integral role of banks’ own secure environments, and account owner control, open banking is every bit as safe as traditional banking.
We take a look at what’s at stake and explain the measures that safeguard users’ legitimate open banking interests.
What’s at Stake
Using open banking to facilitate financial services, streamline operations, and access new opportunities requires businesses to grant third-party access to a wide variety of information. Depending on the service being utilized, this may include account details, balances, transaction history, account holder information, and host of other data related to finance, investments, payroll, tax and more.
Granting account access to relevant third parties enables identity verification, payment initiation, cash flow monitoring, credit scoring, and regulatory compliance. Services such as accounting software, expense tracking, payroll processing, and financial analysis are reliant on sharing a range of sensitive data.
Open Banking Has a Comprehensive Suite of Security Measures
Open banking is designed at every turn to facilitate the good while keeping out the bad. Tight protocols executed via state-of-the-art technology provide layer-upon-layer of security. And every third party with the power to extract data and influence transactions is governed by stringent regulation.
Stringent Regulation and Licensing
Open banking is a strictly regulated service, with stringent criteria around access to bank accounts for obtaining data and initiating payments. This covers aspects such as how bank account owners are authenticated, and how authorization is obtained, as well as how and where data is stored and what can be done with it. Data can never be used for other purposes than agreed with the owner, nor shared with other parties without express consent. Regulators keep a close eye on open banking providers’ adherence to GDPR, in order to protect data privacy.
Any service providers wishing to participate in open banking by accessing banks’ APIs must be licensed by their central bank. (This license is then portable to other countries.) Getting licensed means satisfying a raft of demands that ensure customer’s accounts are tightly protected. In addition to requirements from the Central Bank, these include guidelines from the European Banking Authority, and possibly also rules from other regulators, such as a competition authority.
Obtaining an open banking license requires open banking providers to show work procedures and risk logs as well as undergoing audits and externally-conducted penetration tests. To retain the license, all these checks must be performed at least annually, as well as when rolling out major releases.
In short, open banking regulations for protecting users’ accounts are extremely tough. Any service provider involved in accessing accounts and initiating payments has to repeatedly demonstrate watertight compliance before they get a foot in the door.
Integral Role of Banks’ Own Secure Environments
No open banking transactions can take place without passing through the relevant banks’ own highly-secure environments. These environments, which exist within mobile apps and internet banking facilities, issue the login tokens that allow transactions to be initiated. Users’ final approval can only be given by accessing their bank account through the banking channel.
Among the wide range of regulated interactions that make open banking such a beneficial facility, this step within the process means bank-grade security always has the last word before transactions can take place.
Thanks to the mandated use of state-of-the-art encryption, certificates and secure APIs, open banking’s safety is fully underpinned at technical level.
All data, both in transit (when moving from one system to another) and at rest (when stored in a database), is encrypted using best-practice industry standard encryption. APIs can only be accessed by parties that have a valid EIDAS certificate from a Qualified Trust Service Provider (QTSP), and consent is obtained using OAUTH. SCA (secure customer authentication) is applied to authentication and authorization, and all interactions need to traceable.
Users Stay in Control
Along with all the technical security for ensuring open banking safety, regulation also stipulates that users have a controlling stake.
Before a third party can access account information, the account owner must explicitly give consent. They can restrict what type of data is shared and limit the amount of time the third party has access. Account owners can also revoke consents instantly at any time.
Protections Against Fraud
While open banking is designed for safety, it cannot prevent attempts to extract fraudulent payments. However, mechanisms are in place to protect consumers and businesses in the event of bad actions.
Open banking providers are obliged to provide suitable customer complaints procedures. Escalation to a regulatory body also exists as a fallback in the event of unsatisfactory outcomes.
At the same time, businesses do not have to worry about chargeback fraud because open banking does not have a chargeback mechanism.
Open Banking Is Safe at Every Turn
Thanks to strict regulation and multiple security layers, open banking is as safe as any system can be for protecting money and data, while enabling game-changing business services.